Executive Summary 1 s1

Malware and harmful software
Consumer views on software threats and use of protections
OCTOBER 2013
Canberra
Red Building
Benjamin Offices
Chan Street
Belconnen ACT
PO Box 78
Belconnen ACT 2616
T +61 2 6219 5555
F +61 2 6219 5353 / Melbourne
Level 44
Melbourne Central Tower
360 Elizabeth Street Melbourne VIC
PO Box 13112
Law Courts
Melbourne VIC 8010
T +61 3 9963 6800
F +61 3 9963 6899 / Sydney
Level 5
The Bay Centre
65 Pirrama Road
Pyrmont NSW
PO Box Q500
Queen Victoria Building
NSW 1230
T +61 2 9334 7700
1800 226 667
F +61 2 9334 7799
© Commonwealth of Australia 2013
This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced
by any process without prior written permission from the Commonwealth. Requests and inquiries concerning reproduction
and rights should be addressed to the Manager, Editorial Services, Australian Communications and Media Authority,
PO Box 13112 Law Courts, Melbourne Vic 8010.
Published by the Australian Communications and Media Authority
acma | xiii
Contents (Continued)

Executive summary 1

Perceived likelihood of experiencing malware infections 1

Protection of home computers and laptops against harmful software 2

Protection of mobile devices from harmful software 2

Who is responsible for protecting consumers against harmful software? 2

Introduction 4

Research objectives 4

Research methodology 4

Background information 5

Overview of internet use 7

Key findings 11

Introduction—what is malware? 11

Perceived likelihood of experiencing malware 11

Protections against harmful software and viruses 17

Who is responsible for protecting users against harmful software? 23

Appendixes 27

Appendix A—Survey design and methodology 27

Appendix B—Survey questionnaire (malware component) 29

acma | xiii

Executive summary

In 2012, the Australian Communications and Media Authority (the ACMA) commissioned a national telephone survey with 1,500 Australians aged 18 years and over and four focus group discussions also conducted with adults. Part of this research examined Australians’ awareness of possible threats from malware (malicious software), the use of protections against harmful software, and views on whose responsibility it is to protect computers against malware.

Malware infections enable computers, and potentially tablets and smartphones, to be controlled remotely for illegal or harmful purposes without the users’ knowledge. Possible repercussions for internet users include the mass distribution of spam, hosting of phishing sites or identity theft.

This research provides a context for the ACMA’s activities relating to malware, notably the Australian Internet Security Initiative (AISI) under which participating internet providers—mainly internet service providers (ISPs) and universities—are notified of malware infections affecting their customers; and the ACMA’s Cybersmart program, which helps children and families to use the internet safely and securely.

Summary of internet use

To provide context for these research findings on malware, the study found that 86 per cent of Australian adults used the internet for personal purposes. Personal internet users comprised almost all of the 18–24 age group (99 per cent) and usage declined with age. People aged 65 years and over were least likely to be internet users (60 per cent).

Almost three-quarters of Australian adults (74 per cent)—or 88 per cent of internet users—reported making online financial transactions which included online banking, shopping or paying bills. Australians aged 18–34 years were more likely to make online financial transactions (91 per cent) than the 65 years and over age group (43 per cent).

Perceived likelihood of experiencing malware infections

More internet users reported that harmful software or malware was an unlikely risk to their computer (43–50 per cent) than a likely risk (28–33 per cent).[1] A substantial minority (22–25per cent) gave a neutral response (that is, neither likely nor unlikely) or said they did not know if there was a risk.

Perceptions of likely risk from malware increased with the age of internet users, and risk was regarded as more likely by people who speak languages other than English at home. The risk of their computers being infected by malware was perceived as ‘highly unlikely’ by more internet users who did not make online financial transactions compared to those who did make these transactions.

Protection of home computers and laptops against harmful software

The research indicates that most adult internet users were active in protecting their home computers and laptops from harmful software and viruses. However, a notable minority reported that their home computer or laptop does not have protective software (10 per cent) and a further eight per cent that it is not regularly updated. Nineteen per cent reported that operating systems are not kept up-to-date (19 per cent).

Various other methods of minimising risks from harmful software were in use, including not clicking on email links from unknown senders (82 per cent of internet users with home computers or laptops), immediately deleting emails from unknown sources (82 per cent), not visiting certain websites (79 per cent), keeping browsers up-to-date (78 per cent) and keeping program software up-to-date (76 per cent).

Key reasons mentioned for not having protections were:

  having a computer brand that does not get infections (15 per cent)

  having no need of protections (12 per cent)

  not knowing how to install antivirus protection or how to update computer software (nine per cent).

There were only minor differences between age groups with young adults aged 18–24 years least likely to keep protective software up-to-date, click on email links from unknown senders and delete emails from unknown sources. Older adults aged 65 years and over were least likely to update their program software.

Protection of mobile devices from harmful software

Internet users were considerably less certain about whether their mobile phone and other mobile devices are protected against harmful software. Just over half (52 per cent) of adults who usually used a mobile device (for financial transactions or social networking) said it is protected. Almost a quarter reported that it was not protected (24 per cent) and the same proportion said they did not know (24 per cent).

Key reasons for believing mobile devices are protected from harmful software were:

  an understanding that the operating system has built-in protections (36 per cent of people who said their device is protected)

  having installed protective software themselves (29 per cent)

  not experiencing any problems or infections (eight per cent)

  no reason/did not know (10 per cent).

Who is responsible for protecting consumers against harmful software?

The majority of adult Australian internet users reported that protecting computers from harmful software is a shared responsibility (82 per cent)—a responsibility shared between internet users, ISPs, computer program suppliers and/or government.

It was also widely acknowledged that internet users are mostly responsible for protecting their personal computers, mobile phones and other mobile devices against harmful software. Over three-quarters of internet users (77 per cent) reported that they or individual internet users are mostly responsible. Thirteen per cent of internet users regarded the protection of their computer from harmful software as their sole responsibility.

Whether regarded as a sole or shared responsibility, almost all internet users said they or individual internet users have at least some responsibility for protecting their computers from harmful software:

  individual internet users (90 per cent of internet users reported this)

  ISPs (57 per cent)

  computer software suppliers (45 per cent)

  government (22 per cent).

Some focus group participants seemed to be aware of potential security risks that can result from a malware infection, and that infections can occur without a user’s knowledge. Some had experienced compromises that had affected the operation of their computer. Other participants said they knew that malware and/or virus infections were ‘bad’ but they lacked any further knowledge about possible consequences.

Limitations were recognised by a number of participants to existing protections against harmful software and malware. This included a lack of trust and confidence in the security of certain operating systems, and the need to maintain and keep operating systems and antivirus software up-to-date. Some participants also recognised that protective software could not guard against all infections, particularly new and more sophisticated forms of harmful software or malware.

Some participants said they only used their personal computers for online banking because they perceived them as being more secure than their mobile devices. Very few participants were certain that their mobile device was protected from harmful software and assumed that it was protected; some had not experienced harmful software, and during discussions others began to question whether their smartphone was actually protected.

Many participants said they were unsure of the role played by ISPs in protecting computers from harmful software. While many supported the idea that ISPs inform their customers if they become aware that their computer is compromised, they were also concerned about their privacy and the possibility of being monitored by ISPs.

Introduction

In 2012, the Australian Communications and Media Authority (the ACMA) commissioned quantitative and qualitative research with Australians aged 18 years and over into consumer awareness of malware (malicious software) threats, the use of protections against harmful software and views on who is responsible for protecting computers against malware.

Malware infections enable computers to be controlled remotely for illegal or harmful purposes without the computer users’ knowledge. While malware compromises may not be recognised by affected computer users, possible repercussions for internet users include the mass distribution of spam, hosting of phishing sites or identity theft.

This report presents research that formed part of a larger study into consumer views about unsolicited communications and malware. It provides a context for the ACMA’s activities relating to malware, notably the AISI under which internet providers are notified of malware infections affecting their customers, and the Cybersmart program, which helps children and families to use the internet safely and securely.

The following chapters present survey findings from telephone interviews with 1,500 Australians aged 18 years and over. The survey data has been weighted to represent the Australian adult population with telecommunication access and includes people with fixed-line home phones and those with mobiles only.

Verbatim quotations from focus group participants are included alongside the survey findings. These help in understanding some of the ways that people speak about their use of online media and the protections they use against harmful software.

Research objectives

This research sought to identify:

  the proportion of adult Australians who participate in online banking, shopping, paying bills and online social networking activities, and the devices typically used for these purposes

  general perceptions of adult Australians who use the internet for personal purposes about the likelihood of experiencing malware infections

  methods used to protect internet-enabled home computers from harmful software and viruses, and reasons for not using protections

  the extent to which adult Australians believe their mobile phones and mobile computer devices are protected from harmful software, and their reasons for believing this

  the views of adult Australian internet users on who is responsible for protecting personal computers and mobile devices against harmful software.

Research methodology

A nationally representative telephone survey of 1,500 Australians aged 18 years and over, comprising 1,207 household respondents with fixed-line phones and 293 mobile only phone users, was undertaken by Roy Morgan Research between 17 and 30 July 2012. A full description of the survey research methodology is provided at the end of this report (Appendix A).

Four focus group discussions were also conducted after the survey between 16 and 18 August 2012 to provide depth and richness to the national survey results. Two groups were conducted in Melbourne and two on the Sunshine Coast with eight to 10 participants in each group. Each group was mixed gender with two groups comprising people aged 18–34 years and two groups with people aged 35 years and over.

Interpretation of findings

Significance testing at the 95 per cent confidence level has been applied to findings from the survey research. Specifically, significance testing throughout this report has been used to compare whether there is a reliable difference that is unlikely to be due to chance between each individual group or segment and the total group (for example, for gender, age, income).

In some cases, the report discusses differences that are not statistically significant where there is evidence of a consistent pattern of reported attitudes or behaviour.

The reader may notice some discrepancies between the sums of the component items and totals. This may occur due to the effects of rounding or exclusion of ‘don’t know’ responses.

Background information

The ACMA is an independent statutory authority responsible for the regulation of broadcasting, the internet, radiocommunications and telecommunications in Australia. The strategic intent of the ACMA is to make communications and media work in Australia’s public interest.

To help the ACMA understand how changes in the communications and media environment affect regulatory settings, and the role of citizens and industry in Australia’s developing networked society and information economy, we run a comprehensive program called researchacma.

The ACMA has developed a three-year researchacma overview that explains how external drivers, environmental pressures, the policy environment and internal business needs determine our annual research priorities. But at the heart of our strategic vision are five broad research areas that remain relatively constant:

  market standards

  content and cultural values

  social and economic participation

  safeguards

  regulatory practice and design.

This report on malware contributes to the ACMA’s research theme on social and economic participation, which is directed to identifying the regulatory settings and interventions to assist citizens in protecting their personal information and digital data in an information economy.

The Australian Internet Security Initiative

The AISI is a voluntary program administered by the ACMA that provides participating internet providers—mainly ISPs and universities—with reports on compromised computers and other internet-connected devices. These reports are derived from data that the AISI collects from various sources on computers and other devices on the Australian internet that exhibit behaviour consistent with a malware infection. Data in the AISI reports cannot be used to identify individual users.